Rename Crypto -> SubtleCrypto, placing it in window.crypto.subtle
authorRyan Sleevi <sleevi@google.com>
Sun, 27 Jan 2013 20:59:29 -0800
changeset 28 17347680f504
parent 27 b67eda58e695
child 29 d3d5457ef60b
Rename Crypto -> SubtleCrypto, placing it in window.crypto.subtle

One of the ongoing points of feedback/confusion is regarding the exposure of
low-level algorithms to web developers. Some view this as an inherently
dangerous proposition, because web developers can't or don't understand
cryptographic tradeoffs. However, such a low-level interface is necessary to
support a variety of web applications, including applications or libraries that
provide secure high-level compositions.

Because protocols vary in requirements, and because these compositions vary in
implementation, a low-level API is necessary to support them. However, to make
it clearer to developers that this is subtle and easy to get wrong (just like
any other aspect of development, if not more so), move the existing Crypto
interface into SubtleCrypto.
spec/Overview-WebCryptoAPI.xml
spec/Overview.html
--- a/spec/Overview-WebCryptoAPI.xml	Sun Jan 27 20:58:49 2013 -0800
+++ b/spec/Overview-WebCryptoAPI.xml	Sun Jan 27 20:59:29 2013 -0800
@@ -644,7 +644,7 @@
             <div class="note">
               <p>
                 Do not generate keys using the <code>getRandomValues</code> method. Use the
-                <a href="#dfn-Crypto-method-generateKey"><code>generateKey</code></a> method instead.
+                <a href="#dfn-SubtleSubtleCrypto-method-generateKey"><code>generateKey</code></a> method instead.
               </p>
             </div>
           </div>
@@ -1315,6 +1315,21 @@
       <div id="crypto-interface" class="section">
         <h2>Crypto interface</h2>
         <x:codeblock language="idl">
+interface <dfn id="dfn-Crypto">Crypto</dfn> {
+  readonly attribute <a href="#dfn-SubtleCrypto">SubtleCrypto</a> subtle;
+};
+
+<a href="#dfn-Crypto">Crypto</a> implements <a href="#dfn-RandomSource">RandomSource</a>;
+
+partial interface Window {
+  readonly attribute <a href="#dfn-Crypto">Crypto</a> crypto;
+};
+        </x:codeblock>
+      </div>
+
+      <div id="subtlecrypto-interface" class="section">
+        <h2>SubtleCrypto interface</h2>
+        <x:codeblock language="idl">
 enum <dfn id="dfn-KeyFormat">KeyFormat</dfn> {
   <span class="comment">// An unformatted sequence of bytes. Intended for secret keys.</span>
   "raw",
@@ -1326,46 +1341,40 @@
   "jwk",
 };
 
-interface <dfn id="dfn-Crypto">Crypto</dfn> {
-  <a href="#dfn-CryptoOperation">CryptoOperation</a> <a href="#dfn-Crypto-method-encrypt">encrypt</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+interface <dfn id="dfn-SubtleCrypto">SubtleCrypto</dfn> {
+  <a href="#dfn-CryptoOperation">CryptoOperation</a> <a href="#dfn-SubtleSubtleCrypto-method-encrypt">encrypt</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
                           <a href="#dfn-Key">Key</a> key,
                           optional ArrayBufferView? buffer = null);
-  <a href="#dfn-CryptoOperation">CryptoOperation</a> <a href="#dfn-Crypto-method-decrypt">decrypt</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+  <a href="#dfn-CryptoOperation">CryptoOperation</a> <a href="#dfn-SubtleSubtleCrypto-method-decrypt">decrypt</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
                           <a href="#dfn-Key">Key</a> key,
                           optional ArrayBufferView? buffer = null);
-  <a href="#dfn-CryptoOperation">CryptoOperation</a> <a href="#dfn-Crypto-method-sign">sign</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+  <a href="#dfn-CryptoOperation">CryptoOperation</a> <a href="#dfn-SubtleSubtleCrypto-method-sign">sign</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
                        <a href="#dfn-Key">Key</a> key,
                        optional ArrayBufferView? buffer = null);
-  <a href="#dfn-CryptoOperation">CryptoOperation</a> <a href="#dfn-Crypto-method-verify">verify</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+  <a href="#dfn-CryptoOperation">CryptoOperation</a> <a href="#dfn-SubtleSubtleCrypto-method-verify">verify</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
                          <a href="#dfn-Key">Key</a> key,
                          ArrayBufferView signature,
                          optional ArrayBufferView? buffer = null);
-  <a href="#dfn-CryptoOperation">CryptoOperation</a> <a href="#dfn-Crypto-method-digest">digest</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+  <a href="#dfn-CryptoOperation">CryptoOperation</a> <a href="#dfn-SubtleSubtleCrypto-method-digest">digest</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
                          optional ArrayBufferView? buffer = null);
 
   <span class="comment">// TBD: <a href="https://www.w3.org/2012/webcrypto/track/issues/36">ISSUE-36</a></span>
-  <a href="#dfn-KeyOperation">KeyOperation</a> <a href="#dfn-Crypto-method-generateKey">generateKey</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+  <a href="#dfn-KeyOperation">KeyOperation</a> <a href="#dfn-SubtleSubtleCrypto-method-generateKey">generateKey</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
                            bool extractable = false,
                            <a href="#dfn-KeyUsage">KeyUsage</a>[] keyUsages = []);
-  <a href="#dfn-KeyOperation">KeyOperation</a> <a href="#dfn-Crypto-method-deriveKey">deriveKey</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+  <a href="#dfn-KeyOperation">KeyOperation</a> <a href="#dfn-SubtleSubtleCrypto-method-deriveKey">deriveKey</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
                          <a href="#dfn-Key">Key</a> baseKey,
                          <a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a>? derivedKeyType,
                          bool extractable = false,
                          <a href="#dfn-KeyUsage">KeyUsage</a>[] keyUsages = []);
   
   <span class="comment">// TBD: <a href="https://www.w3.org/2012/webcrypto/track/issues/35">ISSUE-35</a></span>
-  <a href="#dfn-KeyOperation">KeyOperation</a> <a href="#dfn-Crypto-method-importKey">importKey</a>(<a href="#dfn-KeyFormat">KeyFormat</a> format,
+  <a href="#dfn-KeyOperation">KeyOperation</a> <a href="#dfn-SubtleSubtleCrypto-method-importKey">importKey</a>(<a href="#dfn-KeyFormat">KeyFormat</a> format,
                          ArrayBufferView keyData,
                          <a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a>? algorithm,
                          bool extractable = false,
                          <a href="#dfn-KeyUsage">KeyUsage</a>[] keyUsages = []);
-  <a href="#dfn-KeyOperation">KeyOperation</a> <a href="#dfn-Crypto-method-exportKey">exportKey</a>(<a href="#dfn-KeyFormat">KeyFormat</a> format, <a href="#dfn-Key">Key</a> key);
-};
-
-<a href="#dfn-Crypto">Crypto</a> implements <a href="#dfn-RandomSource">RandomSource</a>;
-
-partial interface Window {
-  readonly attribute <a href="#dfn-Crypto">Crypto</a> crypto;
+  <a href="#dfn-KeyOperation">KeyOperation</a> <a href="#dfn-SubtleSubtleCrypto-method-exportKey">exportKey</a>(<a href="#dfn-KeyFormat">KeyFormat</a> format, <a href="#dfn-Key">Key</a> key);
 };
         </x:codeblock>
         <div class="ednote">
@@ -1386,12 +1395,54 @@
             </li>
           </ul>
         </div>
-        <div id="crypto-interface-methods" class="section">
+        <div id="subtlecrypto-interface-description" class="section">
+          <h3>Description</h3>
+          <p class="norm">This section is non-normative.</p>
+          <p>
+            The <a href="#dfn-SubtleCrypto">SubtleCrypto</a> interface provides a set of
+            methods for dealing with low-level cryptographic primitives and algorithms. It is
+            named <code>SubtleCrypto</code> to reflect the fact that many of these algorithms
+            have subtle usage requirements in order to provide the required algorithmic
+            security guarantees.
+          </p>
+          <p>
+            For example, the direct use of an unauthenticated encryption scheme, such as
+            <a href="#aes-ctr">AES in counter mode</a>, gives potential attackers the ability to
+            manipulate bits in the output by manipulating bits in the input, compromising the
+            integrity of the message. However, AES-CTR can be used securely in combination
+            with other cryptographic primitives, such as message authentication codes, to ensure
+            the integrity of the protected message, but only when the message authentication
+            code is constructed over the encrypted message and IV.
+          </p>
+          <p>
+            Developers making use of the SubtleCrypto interface are expected to be aware of the
+            security concerns associated with both the design and implementation of the various
+            algorithms provided. The raw algorithms are provided in order to allow developers
+            maximum flexibility in implementing a variety of protocols and applications, each of
+            which may represent the composition and security parameters in a unique manner that
+            necessitate the use of the raw algorithms.
+          </p>
+          <div class="ednote">
+            <p>
+              Because of the subtleties associated with this API, the Web Cryptography Working
+              Group is also investigating providing a high-level API which provides a
+              comprehensive secure construction and messaging format, to allow new web
+              applications to exchange information without having to be aware of the cryptographic
+              subtleties associated with these individual algorithms.
+            </p>
+            <p>
+              It is likely that such a high-level API will produce messages using algorithms and
+              formats defined in the IETF JOSE Working Group, although this is still a topic of
+              discussion.
+            </p>
+          </div>
+        </div>
+        <div id="subtlecrypto-interface-methods" class="section">
           <h3>Methods and Parameters</h3>
-          <div id="Crypto-method-encrypt" class="section">
+          <div id="SubtleCrypto-method-encrypt" class="section">
             <h4>The encrypt method</h4>
             <p>
-              The <dfn id="dfn-Crypto-method-encrypt"><code>encrypt</code></dfn>
+              The <dfn id="dfn-SubtleSubtleCrypto-method-encrypt"><code>encrypt</code></dfn>
               method returns a new <a href="#dfn-CryptoOperation"><code>CryptoOperation</code></a>
               object that will encrypt data using the specified
               <a href="#dfn-AlgorithmIdentifier"><code>AlgorithmIdentifier</code></a> with
@@ -1490,10 +1541,10 @@
             </ol>
           </div>
 
-          <div id="Crypto-method-decrypt" class="section">
+          <div id="SubtleCrypto-method-decrypt" class="section">
             <h4>The decrypt method</h4>
             <p>
-              The <dfn id="dfn-Crypto-method-decrypt"><code>decrypt</code></dfn>
+              The <dfn id="dfn-SubtleSubtleCrypto-method-decrypt"><code>decrypt</code></dfn>
               method returns a new <a href="#dfn-CryptoOperation"><code>CryptoOperation</code></a>
               object that will decrypt data using the specified
               <a href="#dfn-AlgorithmIdentifier"><code>AlgorithmIdentifier</code></a> with
@@ -1592,10 +1643,10 @@
             </ol>
           </div>
 
-          <div id="Crypto-method-sign" class="section">
+          <div id="SubtleCrypto-method-sign" class="section">
             <h4>The sign method</h4>
             <p>
-              The <dfn id="dfn-Crypto-method-sign"><code>sign</code></dfn> method
+              The <dfn id="dfn-SubtleSubtleCrypto-method-sign"><code>sign</code></dfn> method
               returns a new <a href="#dfn-CryptoOperation"><code>CryptoOperation</code></a>
               object that will sign data using the specified
               <a href="#dfn-AlgorithmIdentifier"><code>AlgorithmIdentifier</code></a> with
@@ -1693,10 +1744,10 @@
             </ol>
           </div>
 
-          <div id="Crypto-method-verify" class="section">
+          <div id="SubtleCrypto-method-verify" class="section">
             <h4>The verify method</h4>
             <p>
-              The <dfn id="dfn-Crypto-method-verify"><code>verify</code></dfn> method
+              The <dfn id="dfn-SubtleSubtleCrypto-method-verify"><code>verify</code></dfn> method
               returns a new <a href="#dfn-CryptoOperation"><code>CryptoOperation</code></a>
               object that will verify data using the specified
               <a href="#dfn-AlgorithmIdentifier"><code>AlgorithmIdentifier</code></a> with
@@ -1794,10 +1845,10 @@
             </ol>
           </div>
 
-          <div id="Crypto-method-digest" class="section">
+          <div id="SubtleCrypto-method-digest" class="section">
             <h4>The digest method</h4>
             <p>
-              The <dfn id="dfn-Crypto-method-digest"><code>digest</code></dfn> method returns
+              The <dfn id="dfn-SubtleSubtleCrypto-method-digest"><code>digest</code></dfn> method returns
               a new <a href="#dfn-CryptoOperation"><code>CryptoOperation</code></a>
               object that will digest data using the specified
               <a href="#dfn-AlgorithmIdentifier"><code>AlgorithmIdentifier</code></a>.
@@ -1895,10 +1946,10 @@
             </ol>
           </div>
 
-          <div id="Crypto-method-generateKey" class="section">
+          <div id="SubtleCrypto-method-generateKey" class="section">
             <h4>The generateKey method</h4>
             <p>
-              When invoked, <dfn id="dfn-Crypto-method-generateKey"><code>generateKey</code></dfn> <span class="RFC2119">MUST</span> perform the following steps:
+              When invoked, <dfn id="dfn-SubtleSubtleCrypto-method-generateKey"><code>generateKey</code></dfn> <span class="RFC2119">MUST</span> perform the following steps:
             </p>
             <ol>
               <li>
@@ -1995,10 +2046,10 @@
             </div>
           </div>
           
-          <div id="Crypto-method-deriveKey" class="section">
+          <div id="SubtleCrypto-method-deriveKey" class="section">
             <h4>The deriveKey method</h4>
             <p>
-              When invoked, <dfn id="dfn-Crypto-method-deriveKey"><code>deriveKey</code></dfn> <span class="RFC2119">MUST</span> perform the following steps:
+              When invoked, <dfn id="dfn-SubtleSubtleCrypto-method-deriveKey"><code>deriveKey</code></dfn> <span class="RFC2119">MUST</span> perform the following steps:
             </p>
             <ol>
               <li>
@@ -2104,12 +2155,12 @@
             </div>
           </div>
 
-          <div id="Crypto-method-importKey" class="section">
-            <h4>The <dfn id="dfn-Crypto-method-importKey">importKey</dfn> method</h4>
+          <div id="SubtleCrypto-method-importKey" class="section">
+            <h4>The <dfn id="dfn-SubtleSubtleCrypto-method-importKey">importKey</dfn> method</h4>
             <p></p>
           </div>
-          <div id="Crypto-method-exportKey" class="section">
-            <h4>The <dfn id="dfn-Crypto-method-exportKey">exportKey</dfn> method</h4>
+          <div id="SubtleCrypto-method-exportKey" class="section">
+            <h4>The <dfn id="dfn-SubtleSubtleCrypto-method-exportKey">exportKey</dfn> method</h4>
             <p></p>
           </div>
           
@@ -2182,7 +2233,7 @@
           <p>
             The Working Group is actively discussing means of discovering <code><a href="#dfn-Key">Key</a></code>
             objects that are not not directly created by the application via
-            <code><a href="#Crypto-method-generateKey">generateKey</a></code>, or allowing
+            <code><a href="#SubtleCrypto-method-generateKey">generateKey</a></code>, or allowing
             web applications to indicate how and where the cryptographic keying material associated with
             <code>Key</code> objects is stored. Examples of such <code>Key</code> objects or interfaces that
             may be exposed include:
@@ -3575,7 +3626,7 @@
   }
 };
 
-var keyGen = window.crypto.generateKey(algorithmKeyGen,
+var keyGen = window.crypto.subtle.generateKey(algorithmKeyGen,
                                        false, <span class="comment">// extractable</span>
                                        ["sign"]);
 
@@ -3628,7 +3679,7 @@
 };
 
 <span class="comment">// Create a keygenerator to produce a one-time-use AES key to encrypt some data</span>
-var cryptoKeyGen = window.crypto.generateKey(aesAlgorithmKeyGen,
+var cryptoKeyGen = window.crypto.subtle.generateKey(aesAlgorithmKeyGen,
                                              false, <span class="comment">// extractable</span>
                                              ["encrypt"]);
 
@@ -3638,7 +3689,7 @@
 
   <span class="comment">// Unlike the signing example, which showed multi-part encryption, here we
   // will perform the entire AES operation in a single call.</span>
-  var aesOp = window.crypto.encrypt(aesAlgorithmEncrypt, aesKey, clearDataArrayBufferView);
+  var aesOp = window.crypto.subtle.encrypt(aesAlgorithmEncrypt, aesKey, clearDataArrayBufferView);
   aesOp.oncomplete = function(event) {
     <span class="comment">// The clearData has been encrypted.</span>
     var ciphertext = event.target.result; <span class="comment">// ArrayBufferView</span>
--- a/spec/Overview.html	Sun Jan 27 20:58:49 2013 -0800
+++ b/spec/Overview.html	Sun Jan 27 20:59:29 2013 -0800
@@ -49,7 +49,7 @@
 communications.
       </p>
   
-      <div class="ednote"><div class="ednoteHeader">Editorial note</div><p>There are 22 further editorial notes in the document.</p></div>
+      <div class="ednote"><div class="ednoteHeader">Editorial note</div><p>There are 23 further editorial notes in the document.</p></div>
     </div>
 
     <div class="section">
@@ -141,7 +141,7 @@
 
     <div id="toc">
       <h2>Table of Contents</h2>
-      <div class="toc"><ul><li><a href="#introduction">1. Introduction</a></li><li><a href="#use-cases">2. Use Cases</a><ul><li><a href="#multifactor-authentication">2.1. Multi-factor Authentication</a></li><li><a href="#protected-document">2.2. Protected Document Exchange</a></li><li><a href="#cloud-storage">2.3. Cloud Storage</a></li><li><a href="#document-signing">2.4. Document Signing</a></li><li><a href="#data-integrity-protection">2.5. Data Integrity Protection</a></li><li><a href="#secure-messaging">2.6. Secure Messaging</a></li><li><a href="#jose">2.7. Javascript Object Signing and Encryption (JOSE)</a></li></ul></li><li><a href="#conformance">3. Conformance</a></li><li><a href="#scope">4. Scope</a><ul><li><a href="#scope-abstraction">4.1. Level of abstraction</a></li><li><a href="#scope-algorithms">4.2. Cryptographic algorithms</a></li><li><a href="#scope-operations">4.3. Operations</a></li><li><a href="#scope-out-of-scope">4.4. Out of scope</a></li></ul></li><li><a href="#security">5. Security considerations</a><ul><li><a href="#security-implementers">5.1. Security considerations for implementers</a></li><li><a href="#security-developers">5.2. Security considerations for developers</a></li></ul></li><li><a href="#privacy">6. Privacy considerations</a></li><li><a href="#dependencies">7. Dependencies</a></li><li><a href="#terminology">8. Terminology</a></li><li><a href="#RandomSource-interface">9. RandomSource interface</a><ul><li><a href="#RandomSource-description">9.1. Description</a></li><li><a href="#RandomSource-interface-methods">9.2. Methods and Parameters</a><ul><li><a href="#RandomSource-method-getRandomValues">9.2.1. The getRandomValues method</a></li></ul></li></ul></li><li><a href="#algorithm-dictionary">10. Algorithm dictionary</a><ul><li><a href="#algorithm-dictionary-members">10.1. Algorithm Dictionary Members</a></li></ul></li><li><a href="#key-interface">11. Key interface</a><ul><li><a href="#key-interface-description">11.1. Description</a></li><li><a href="#key-interface-members">11.2. Key interface members</a></li><li><a href="#key-interface-clone">11.3. Structured clone algorithm</a></li></ul></li><li><a href="#cryptooperation-interface">12. CryptoOperation interface</a><ul><li><a href="#CryptoOperation-processing-model">12.1. Processing Model</a></li><li><a href="#cryptooperation-events">12.2. Event Handler Attributes</a></li><li><a href="#CryptoOperation-attributes">12.3. Attributes</a></li><li><a href="#CryptoOperation-methods">12.4. Methods</a><ul><li><a href="#CryptoOperation-method-process">12.4.1. process(ArrayBufferView data)</a></li><li><a href="#CryptoOperation-method-finish">12.4.2. The finish() method</a></li><li><a href="#CryptoOperation-method-abort">12.4.3. The abort() method</a></li></ul></li></ul></li><li><a href="#KeyOperation-interface">13. KeyOperation interface</a></li><li><a href="#crypto-interface">14. Crypto interface</a><ul><li><a href="#crypto-interface-methods">14.1. Methods and Parameters</a><ul><li><a href="#Crypto-method-encrypt">14.1.1. The encrypt method</a></li><li><a href="#Crypto-method-decrypt">14.1.2. The decrypt method</a></li><li><a href="#Crypto-method-sign">14.1.3. The sign method</a></li><li><a href="#Crypto-method-verify">14.1.4. The verify method</a></li><li><a href="#Crypto-method-digest">14.1.5. The digest method</a></li><li><a href="#Crypto-method-generateKey">14.1.6. The generateKey method</a></li><li><a href="#Crypto-method-deriveKey">14.1.7. The deriveKey method</a></li><li><a href="#Crypto-method-importKey">14.1.8. The importKey method</a></li><li><a href="#Crypto-method-exportKey">14.1.9. The exportKey method</a></li></ul></li></ul></li><li><a href="#WorkerCrypto-interface">15. WorkerCrypto interface</a><ul><li><a href="#WorkerCrypto-description">15.1. Description</a></li></ul></li><li><a href="#big-integer">16. BigInteger</a></li><li><a href="#keypair">17. KeyPair</a></li><li><a href="#key-discovery">18. Key Discovery</a></li><li><a href="#algorithms">19. Algorithms</a><ul><li><a href="#recommended-algorithms">19.1. Recommended algorithms</a></li><li><a href="#defining-an-algorithm">19.2. Defining an algorithm</a><ul><li><a href="#recognized-algorithm-name">19.2.1. Recognized algorithm name</a></li><li><a href="#supported-operations">19.2.2. Supported operations</a></li><li><a href="#algorithm-specific-params">19.2.3. Algorithm-specific parameters</a></li><li><a href="#algorithm-result">19.2.4. Algorithm results</a></li><li><a href="#algorithm-alias">19.2.5. Algorithm aliases</a></li></ul></li><li><a href="#rsaes-pkcs1">19.3. RSAES-PKCS1-v1_5</a><ul><li><a href="#rsaes-pkcs1-description">19.3.1. Description</a></li><li><a href="#rsaes-pkcs1-registration">19.3.2. Registration</a></li><li><a href="#RsaKeyGenParams-dictionary">19.3.3. RsaKeyGenParams dictionary</a></li><li><a href="#rsaes-pkcs1-operations">19.3.4. Operations</a></li></ul></li><li><a href="#rsassa-pkcs1">19.4. RSASSA-PKCS1-v1_5</a><ul><li><a href="#rsassa-pkcs1-description">19.4.1. Description</a></li><li><a href="#rsassa-pkcs1-registration">19.4.2. Registration</a></li><li><a href="#RsaSsaParams-dictionary">19.4.3. RsaSsaParams dictionary</a></li><li><a href="#rsassa-pkcs1-operations">19.4.4. Operations</a></li></ul></li><li><a href="#rsa-pss">19.5. RSA-PSS</a><ul><li><a href="#rsa-pss-description">19.5.1. Description</a></li><li><a href="#rsa-pss-registration">19.5.2. Registration</a></li><li><a href="#rsa-pss-params">19.5.3. RsaPssParams dictionary</a></li><li><a href="#rsa-pss-operations">19.5.4. Operations</a></li></ul></li><li><a href="#rsa-oaep">19.6. RSA-OAEP</a><ul><li><a href="#rsa-oaep-description">19.6.1. Description</a></li><li><a href="#rsa-oaep-registration">19.6.2. Registration</a></li><li><a href="#rsa-oaep-params">19.6.3. RsaOaepParams dictionary</a></li><li><a href="#rsa-oaep-operations">19.6.4. Operations</a></li></ul></li><li><a href="#ecdsa">19.7. ECDSA</a><ul><li><a href="#ecdsa-description">19.7.1. Description</a></li><li><a href="#ecdsa-registration">19.7.2. Registration</a></li><li><a href="#EcdsaParams-dictionary">19.7.3. EcdsaParams dictionary</a></li><li><a href="#EcKeyGenParams-dictionary">19.7.4. EcKeyGenParams dictionary</a></li><li><a href="#ecdsa-operations">19.7.5. Operations</a></li></ul></li><li><a href="#ecdh">19.8. ECDH</a><ul><li><a href="#ecdh-description">19.8.1. Description</a></li><li><a href="#ecdh-registration">19.8.2. Registration</a></li><li><a href="#dh-EcdhKeyDeriveParams">19.8.3. EcdhKeyDeriveParams dictionary</a></li><li><a href="#ecdh-operations">19.8.4. Operations</a></li></ul></li><li><a href="#aes-ctr">19.9. AES-CTR</a><ul><li><a href="#aes-ctr-description">19.9.1. Description</a></li><li><a href="#aes-ctr-registration">19.9.2. Registration</a></li><li><a href="#aes-ctr-params">19.9.3. AesCtrParams dictionary</a></li><li><a href="#aes-keygen-params">19.9.4. AesKeyGenParams dictionary</a></li><li><a href="#aes-ctr-operations">19.9.5. Operations</a></li></ul></li><li><a href="#aes-cbc">19.10. AES-CBC</a><ul><li><a href="#aes-cbc-description">19.10.1. Description</a></li><li><a href="#aes-cbc-registration">19.10.2. Registration</a></li><li><a href="#aes-cbc-params">19.10.3. AesCbcParams dictionary</a></li><li><a href="#aes-cbc-operations">19.10.4. Operations</a></li></ul></li><li><a href="#aes-gcm">19.11. AES-GCM</a><ul><li><a href="#aes-gcm-description">19.11.1. Description</a></li><li><a href="#aes-gcm-registration">19.11.2. Registration</a></li><li><a href="#aes-gcm-params">19.11.3. AesGcmParams dictionary</a></li><li><a href="#aes-gcm-operations">19.11.4. Operations</a></li></ul></li><li><a href="#hmac">19.12. HMAC</a><ul><li><a href="#hmac-description">19.12.1. Description</a></li><li><a href="#hmac-registration">19.12.2. Registration</a></li><li><a href="#hmac-params">19.12.3. HmacParams dictionary</a></li><li><a href="#hmac-operations">19.12.4. Operations</a></li></ul></li><li><a href="#dh">19.13. Diffie-Hellman</a><ul><li><a href="#dh-description">19.13.1. Description</a></li><li><a href="#dh-registration">19.13.2. Registration</a></li><li><a href="#dh-DhKeyGenParams">19.13.3. DhKeyGenParams dictionary</a></li><li><a href="#dh-DhKeyDeriveParams">19.13.4. DhKeyDeriveParams dictionary</a></li><li><a href="#dh-operations">19.13.5. Operations</a></li></ul></li><li><a href="#sha">19.14. SHA</a><ul><li><a href="#sha-description">19.14.1. Description</a></li><li><a href="#sha-registration">19.14.2. Registration</a></li><li><a href="#sha-operations">19.14.3. Operations</a></li></ul></li><li><a href="#concatkdf">19.15. Concat KDF</a><ul><li><a href="#concatkdf-description">19.15.1. Description</a></li><li><a href="#concatkdf-registration">19.15.2. Registration</a></li><li><a href="#concat-params">19.15.3. ConcatParams dictionary</a></li><li><a href="#concat-operations">19.15.4. Operations</a></li></ul></li><li><a href="#pbkdf2">19.16. PBKDF2</a><ul><li><a href="#pbkdf2-description">19.16.1. Description</a></li><li><a href="#pbkdf2-registration">19.16.2. Registration</a></li><li><a href="#pbkdf2-params">19.16.3. Pbkdf2Params dictionary</a></li><li><a href="#pbkdf2-operations">19.16.4. Operations</a></li></ul></li></ul></li><li><a href="#algorithm-normalizing-rules">20. Algorithm normalizing rules</a></li><li><a href="#examples-section">21. JavaScript Example Code</a><ul><li><a href="#examples-signing">21.1. Generate a signing key pair, sign some data</a></li><li><a href="#examples-symmetric-encryption">21.2. Symmetric Encryption</a></li></ul></li><li><a href="#acknowledgements-section">22. Acknowledgements</a></li><li><a href="#references">23. References</a><ul><li><a href="#normative-references">23.1. Normative References</a></li><li><a href="#informative-references">23.2. Informative References</a></li></ul></li></ul></div>
+      <div class="toc"><ul><li><a href="#introduction">1. Introduction</a></li><li><a href="#use-cases">2. Use Cases</a><ul><li><a href="#multifactor-authentication">2.1. Multi-factor Authentication</a></li><li><a href="#protected-document">2.2. Protected Document Exchange</a></li><li><a href="#cloud-storage">2.3. Cloud Storage</a></li><li><a href="#document-signing">2.4. Document Signing</a></li><li><a href="#data-integrity-protection">2.5. Data Integrity Protection</a></li><li><a href="#secure-messaging">2.6. Secure Messaging</a></li><li><a href="#jose">2.7. Javascript Object Signing and Encryption (JOSE)</a></li></ul></li><li><a href="#conformance">3. Conformance</a></li><li><a href="#scope">4. Scope</a><ul><li><a href="#scope-abstraction">4.1. Level of abstraction</a></li><li><a href="#scope-algorithms">4.2. Cryptographic algorithms</a></li><li><a href="#scope-operations">4.3. Operations</a></li><li><a href="#scope-out-of-scope">4.4. Out of scope</a></li></ul></li><li><a href="#security">5. Security considerations</a><ul><li><a href="#security-implementers">5.1. Security considerations for implementers</a></li><li><a href="#security-developers">5.2. Security considerations for developers</a></li></ul></li><li><a href="#privacy">6. Privacy considerations</a></li><li><a href="#dependencies">7. Dependencies</a></li><li><a href="#terminology">8. Terminology</a></li><li><a href="#RandomSource-interface">9. RandomSource interface</a><ul><li><a href="#RandomSource-description">9.1. Description</a></li><li><a href="#RandomSource-interface-methods">9.2. Methods and Parameters</a><ul><li><a href="#RandomSource-method-getRandomValues">9.2.1. The getRandomValues method</a></li></ul></li></ul></li><li><a href="#algorithm-dictionary">10. Algorithm dictionary</a><ul><li><a href="#algorithm-dictionary-members">10.1. Algorithm Dictionary Members</a></li></ul></li><li><a href="#key-interface">11. Key interface</a><ul><li><a href="#key-interface-description">11.1. Description</a></li><li><a href="#key-interface-members">11.2. Key interface members</a></li><li><a href="#key-interface-clone">11.3. Structured clone algorithm</a></li></ul></li><li><a href="#cryptooperation-interface">12. CryptoOperation interface</a><ul><li><a href="#CryptoOperation-processing-model">12.1. Processing Model</a></li><li><a href="#cryptooperation-events">12.2. Event Handler Attributes</a></li><li><a href="#CryptoOperation-attributes">12.3. Attributes</a></li><li><a href="#CryptoOperation-methods">12.4. Methods</a><ul><li><a href="#CryptoOperation-method-process">12.4.1. process(ArrayBufferView data)</a></li><li><a href="#CryptoOperation-method-finish">12.4.2. The finish() method</a></li><li><a href="#CryptoOperation-method-abort">12.4.3. The abort() method</a></li></ul></li></ul></li><li><a href="#KeyOperation-interface">13. KeyOperation interface</a></li><li><a href="#crypto-interface">14. Crypto interface</a></li><li><a href="#subtlecrypto-interface">15. SubtleCrypto interface</a><ul><li><a href="#subtlecrypto-interface-description">15.1. Description</a></li><li><a href="#subtlecrypto-interface-methods">15.2. Methods and Parameters</a><ul><li><a href="#SubtleCrypto-method-encrypt">15.2.1. The encrypt method</a></li><li><a href="#SubtleCrypto-method-decrypt">15.2.2. The decrypt method</a></li><li><a href="#SubtleCrypto-method-sign">15.2.3. The sign method</a></li><li><a href="#SubtleCrypto-method-verify">15.2.4. The verify method</a></li><li><a href="#SubtleCrypto-method-digest">15.2.5. The digest method</a></li><li><a href="#SubtleCrypto-method-generateKey">15.2.6. The generateKey method</a></li><li><a href="#SubtleCrypto-method-deriveKey">15.2.7. The deriveKey method</a></li><li><a href="#SubtleCrypto-method-importKey">15.2.8. The importKey method</a></li><li><a href="#SubtleCrypto-method-exportKey">15.2.9. The exportKey method</a></li></ul></li></ul></li><li><a href="#WorkerCrypto-interface">16. WorkerCrypto interface</a><ul><li><a href="#WorkerCrypto-description">16.1. Description</a></li></ul></li><li><a href="#big-integer">17. BigInteger</a></li><li><a href="#keypair">18. KeyPair</a></li><li><a href="#key-discovery">19. Key Discovery</a></li><li><a href="#algorithms">20. Algorithms</a><ul><li><a href="#recommended-algorithms">20.1. Recommended algorithms</a></li><li><a href="#defining-an-algorithm">20.2. Defining an algorithm</a><ul><li><a href="#recognized-algorithm-name">20.2.1. Recognized algorithm name</a></li><li><a href="#supported-operations">20.2.2. Supported operations</a></li><li><a href="#algorithm-specific-params">20.2.3. Algorithm-specific parameters</a></li><li><a href="#algorithm-result">20.2.4. Algorithm results</a></li><li><a href="#algorithm-alias">20.2.5. Algorithm aliases</a></li></ul></li><li><a href="#rsaes-pkcs1">20.3. RSAES-PKCS1-v1_5</a><ul><li><a href="#rsaes-pkcs1-description">20.3.1. Description</a></li><li><a href="#rsaes-pkcs1-registration">20.3.2. Registration</a></li><li><a href="#RsaKeyGenParams-dictionary">20.3.3. RsaKeyGenParams dictionary</a></li><li><a href="#rsaes-pkcs1-operations">20.3.4. Operations</a></li></ul></li><li><a href="#rsassa-pkcs1">20.4. RSASSA-PKCS1-v1_5</a><ul><li><a href="#rsassa-pkcs1-description">20.4.1. Description</a></li><li><a href="#rsassa-pkcs1-registration">20.4.2. Registration</a></li><li><a href="#RsaSsaParams-dictionary">20.4.3. RsaSsaParams dictionary</a></li><li><a href="#rsassa-pkcs1-operations">20.4.4. Operations</a></li></ul></li><li><a href="#rsa-pss">20.5. RSA-PSS</a><ul><li><a href="#rsa-pss-description">20.5.1. Description</a></li><li><a href="#rsa-pss-registration">20.5.2. Registration</a></li><li><a href="#rsa-pss-params">20.5.3. RsaPssParams dictionary</a></li><li><a href="#rsa-pss-operations">20.5.4. Operations</a></li></ul></li><li><a href="#rsa-oaep">20.6. RSA-OAEP</a><ul><li><a href="#rsa-oaep-description">20.6.1. Description</a></li><li><a href="#rsa-oaep-registration">20.6.2. Registration</a></li><li><a href="#rsa-oaep-params">20.6.3. RsaOaepParams dictionary</a></li><li><a href="#rsa-oaep-operations">20.6.4. Operations</a></li></ul></li><li><a href="#ecdsa">20.7. ECDSA</a><ul><li><a href="#ecdsa-description">20.7.1. Description</a></li><li><a href="#ecdsa-registration">20.7.2. Registration</a></li><li><a href="#EcdsaParams-dictionary">20.7.3. EcdsaParams dictionary</a></li><li><a href="#EcKeyGenParams-dictionary">20.7.4. EcKeyGenParams dictionary</a></li><li><a href="#ecdsa-operations">20.7.5. Operations</a></li></ul></li><li><a href="#ecdh">20.8. ECDH</a><ul><li><a href="#ecdh-description">20.8.1. Description</a></li><li><a href="#ecdh-registration">20.8.2. Registration</a></li><li><a href="#dh-EcdhKeyDeriveParams">20.8.3. EcdhKeyDeriveParams dictionary</a></li><li><a href="#ecdh-operations">20.8.4. Operations</a></li></ul></li><li><a href="#aes-ctr">20.9. AES-CTR</a><ul><li><a href="#aes-ctr-description">20.9.1. Description</a></li><li><a href="#aes-ctr-registration">20.9.2. Registration</a></li><li><a href="#aes-ctr-params">20.9.3. AesCtrParams dictionary</a></li><li><a href="#aes-keygen-params">20.9.4. AesKeyGenParams dictionary</a></li><li><a href="#aes-ctr-operations">20.9.5. Operations</a></li></ul></li><li><a href="#aes-cbc">20.10. AES-CBC</a><ul><li><a href="#aes-cbc-description">20.10.1. Description</a></li><li><a href="#aes-cbc-registration">20.10.2. Registration</a></li><li><a href="#aes-cbc-params">20.10.3. AesCbcParams dictionary</a></li><li><a href="#aes-cbc-operations">20.10.4. Operations</a></li></ul></li><li><a href="#aes-gcm">20.11. AES-GCM</a><ul><li><a href="#aes-gcm-description">20.11.1. Description</a></li><li><a href="#aes-gcm-registration">20.11.2. Registration</a></li><li><a href="#aes-gcm-params">20.11.3. AesGcmParams dictionary</a></li><li><a href="#aes-gcm-operations">20.11.4. Operations</a></li></ul></li><li><a href="#hmac">20.12. HMAC</a><ul><li><a href="#hmac-description">20.12.1. Description</a></li><li><a href="#hmac-registration">20.12.2. Registration</a></li><li><a href="#hmac-params">20.12.3. HmacParams dictionary</a></li><li><a href="#hmac-operations">20.12.4. Operations</a></li></ul></li><li><a href="#dh">20.13. Diffie-Hellman</a><ul><li><a href="#dh-description">20.13.1. Description</a></li><li><a href="#dh-registration">20.13.2. Registration</a></li><li><a href="#dh-DhKeyGenParams">20.13.3. DhKeyGenParams dictionary</a></li><li><a href="#dh-DhKeyDeriveParams">20.13.4. DhKeyDeriveParams dictionary</a></li><li><a href="#dh-operations">20.13.5. Operations</a></li></ul></li><li><a href="#sha">20.14. SHA</a><ul><li><a href="#sha-description">20.14.1. Description</a></li><li><a href="#sha-registration">20.14.2. Registration</a></li><li><a href="#sha-operations">20.14.3. Operations</a></li></ul></li><li><a href="#concatkdf">20.15. Concat KDF</a><ul><li><a href="#concatkdf-description">20.15.1. Description</a></li><li><a href="#concatkdf-registration">20.15.2. Registration</a></li><li><a href="#concat-params">20.15.3. ConcatParams dictionary</a></li><li><a href="#concat-operations">20.15.4. Operations</a></li></ul></li><li><a href="#pbkdf2">20.16. PBKDF2</a><ul><li><a href="#pbkdf2-description">20.16.1. Description</a></li><li><a href="#pbkdf2-registration">20.16.2. Registration</a></li><li><a href="#pbkdf2-params">20.16.3. Pbkdf2Params dictionary</a></li><li><a href="#pbkdf2-operations">20.16.4. Operations</a></li></ul></li></ul></li><li><a href="#algorithm-normalizing-rules">21. Algorithm normalizing rules</a></li><li><a href="#examples-section">22. JavaScript Example Code</a><ul><li><a href="#examples-signing">22.1. Generate a signing key pair, sign some data</a></li><li><a href="#examples-symmetric-encryption">22.2. Symmetric Encryption</a></li></ul></li><li><a href="#acknowledgements-section">23. Acknowledgements</a></li><li><a href="#references">24. References</a><ul><li><a href="#normative-references">24.1. Normative References</a></li><li><a href="#informative-references">24.2. Informative References</a></li></ul></li></ul></div>
     </div>
 
     <div id="sections">
@@ -653,7 +653,7 @@
             <div class="note"><div class="noteHeader">Note</div>
               <p>
                 Do not generate keys using the <code>getRandomValues</code> method. Use the
-                <a href="#dfn-Crypto-method-generateKey"><code>generateKey</code></a> method instead.
+                <a href="#dfn-SubtleSubtleCrypto-method-generateKey"><code>generateKey</code></a> method instead.
               </p>
             </div>
           </div>
@@ -1324,6 +1324,21 @@
       <div id="crypto-interface" class="section">
         <h2>14. Crypto interface</h2>
         <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
+interface <dfn id="dfn-Crypto">Crypto</dfn> {
+  readonly attribute <a href="#dfn-SubtleCrypto">SubtleCrypto</a> subtle;
+};
+
+<a href="#dfn-Crypto">Crypto</a> implements <a href="#dfn-RandomSource">RandomSource</a>;
+
+partial interface Window {
+  readonly attribute <a href="#dfn-Crypto">Crypto</a> crypto;
+};
+        </code></pre></div></div>
+      </div>
+
+      <div id="subtlecrypto-interface" class="section">
+        <h2>15. SubtleCrypto interface</h2>
+        <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 enum <dfn id="dfn-KeyFormat">KeyFormat</dfn> {
   <span class="comment">// An unformatted sequence of bytes. Intended for secret keys.</span>
   "raw",
@@ -1335,46 +1350,40 @@
   "jwk",
 };
 
-interface <dfn id="dfn-Crypto">Crypto</dfn> {
-  <a href="#dfn-CryptoOperation">CryptoOperation</a> <a href="#dfn-Crypto-method-encrypt">encrypt</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+interface <dfn id="dfn-SubtleCrypto">SubtleCrypto</dfn> {
+  <a href="#dfn-CryptoOperation">CryptoOperation</a> <a href="#dfn-SubtleSubtleCrypto-method-encrypt">encrypt</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
                           <a href="#dfn-Key">Key</a> key,
                           optional ArrayBufferView? buffer = null);
-  <a href="#dfn-CryptoOperation">CryptoOperation</a> <a href="#dfn-Crypto-method-decrypt">decrypt</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+  <a href="#dfn-CryptoOperation">CryptoOperation</a> <a href="#dfn-SubtleSubtleCrypto-method-decrypt">decrypt</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
                           <a href="#dfn-Key">Key</a> key,
                           optional ArrayBufferView? buffer = null);
-  <a href="#dfn-CryptoOperation">CryptoOperation</a> <a href="#dfn-Crypto-method-sign">sign</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+  <a href="#dfn-CryptoOperation">CryptoOperation</a> <a href="#dfn-SubtleSubtleCrypto-method-sign">sign</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
                        <a href="#dfn-Key">Key</a> key,
                        optional ArrayBufferView? buffer = null);
-  <a href="#dfn-CryptoOperation">CryptoOperation</a> <a href="#dfn-Crypto-method-verify">verify</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+  <a href="#dfn-CryptoOperation">CryptoOperation</a> <a href="#dfn-SubtleSubtleCrypto-method-verify">verify</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
                          <a href="#dfn-Key">Key</a> key,
                          ArrayBufferView signature,
                          optional ArrayBufferView? buffer = null);
-  <a href="#dfn-CryptoOperation">CryptoOperation</a> <a href="#dfn-Crypto-method-digest">digest</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+  <a href="#dfn-CryptoOperation">CryptoOperation</a> <a href="#dfn-SubtleSubtleCrypto-method-digest">digest</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
                          optional ArrayBufferView? buffer = null);
 
   <span class="comment">// TBD: <a href="https://www.w3.org/2012/webcrypto/track/issues/36">ISSUE-36</a></span>
-  <a href="#dfn-KeyOperation">KeyOperation</a> <a href="#dfn-Crypto-method-generateKey">generateKey</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+  <a href="#dfn-KeyOperation">KeyOperation</a> <a href="#dfn-SubtleSubtleCrypto-method-generateKey">generateKey</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
                            bool extractable = false,
                            <a href="#dfn-KeyUsage">KeyUsage</a>[] keyUsages = []);
-  <a href="#dfn-KeyOperation">KeyOperation</a> <a href="#dfn-Crypto-method-deriveKey">deriveKey</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+  <a href="#dfn-KeyOperation">KeyOperation</a> <a href="#dfn-SubtleSubtleCrypto-method-deriveKey">deriveKey</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
                          <a href="#dfn-Key">Key</a> baseKey,
                          <a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a>? derivedKeyType,
                          bool extractable = false,
                          <a href="#dfn-KeyUsage">KeyUsage</a>[] keyUsages = []);
   
   <span class="comment">// TBD: <a href="https://www.w3.org/2012/webcrypto/track/issues/35">ISSUE-35</a></span>
-  <a href="#dfn-KeyOperation">KeyOperation</a> <a href="#dfn-Crypto-method-importKey">importKey</a>(<a href="#dfn-KeyFormat">KeyFormat</a> format,
+  <a href="#dfn-KeyOperation">KeyOperation</a> <a href="#dfn-SubtleSubtleCrypto-method-importKey">importKey</a>(<a href="#dfn-KeyFormat">KeyFormat</a> format,
                          ArrayBufferView keyData,
                          <a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a>? algorithm,
                          bool extractable = false,
                          <a href="#dfn-KeyUsage">KeyUsage</a>[] keyUsages = []);
-  <a href="#dfn-KeyOperation">KeyOperation</a> <a href="#dfn-Crypto-method-exportKey">exportKey</a>(<a href="#dfn-KeyFormat">KeyFormat</a> format, <a href="#dfn-Key">Key</a> key);
-};
-
-<a href="#dfn-Crypto">Crypto</a> implements <a href="#dfn-RandomSource">RandomSource</a>;
-
-partial interface Window {
-  readonly attribute <a href="#dfn-Crypto">Crypto</a> crypto;
+  <a href="#dfn-KeyOperation">KeyOperation</a> <a href="#dfn-SubtleSubtleCrypto-method-exportKey">exportKey</a>(<a href="#dfn-KeyFormat">KeyFormat</a> format, <a href="#dfn-Key">Key</a> key);
 };
         </code></pre></div></div>
         <div class="ednote"><div class="ednoteHeader">Editorial note</div>
@@ -1395,12 +1404,54 @@
             </li>
           </ul>
         </div>
-        <div id="crypto-interface-methods" class="section">
-          <h3>14.1. Methods and Parameters</h3>
-          <div id="Crypto-method-encrypt" class="section">
-            <h4>14.1.1. The encrypt method</h4>
+        <div id="subtlecrypto-interface-description" class="section">
+          <h3>15.1. Description</h3>
+          <p class="norm">This section is non-normative.</p>
+          <p>
+            The <a href="#dfn-SubtleCrypto">SubtleCrypto</a> interface provides a set of
+            methods for dealing with low-level cryptographic primitives and algorithms. It is
+            named <code>SubtleCrypto</code> to reflect the fact that many of these algorithms
+            have subtle usage requirements in order to provide the required algorithmic
+            security guarantees.
+          </p>
+          <p>
+            For example, the direct use of an unauthenticated encryption scheme, such as
+            <a href="#aes-ctr">AES in counter mode</a>, gives potential attackers the ability to
+            manipulate bits in the output by manipulating bits in the input, compromising the
+            integrity of the message. However, AES-CTR can be used securely in combination
+            with other cryptographic primitives, such as message authentication codes, to ensure
+            the integrity of the protected message, but only when the message authentication
+            code is constructed over the encrypted message and IV.
+          </p>
+          <p>
+            Developers making use of the SubtleCrypto interface are expected to be aware of the
+            security concerns associated with both the design and implementation of the various
+            algorithms provided. The raw algorithms are provided in order to allow developers
+            maximum flexibility in implementing a variety of protocols and applications, each of
+            which may represent the composition and security parameters in a unique manner that
+            necessitate the use of the raw algorithms.
+          </p>
+          <div class="ednote"><div class="ednoteHeader">Editorial note</div>
             <p>
-              The <dfn id="dfn-Crypto-method-encrypt"><code>encrypt</code></dfn>
+              Because of the subtleties associated with this API, the Web Cryptography Working
+              Group is also investigating providing a high-level API which provides a
+              comprehensive secure construction and messaging format, to allow new web
+              applications to exchange information without having to be aware of the cryptographic
+              subtleties associated with these individual algorithms.
+            </p>
+            <p>
+              It is likely that such a high-level API will produce messages using algorithms and
+              formats defined in the IETF JOSE Working Group, although this is still a topic of
+              discussion.
+            </p>
+          </div>
+        </div>
+        <div id="subtlecrypto-interface-methods" class="section">
+          <h3>15.2. Methods and Parameters</h3>
+          <div id="SubtleCrypto-method-encrypt" class="section">
+            <h4>15.2.1. The encrypt method</h4>
+            <p>
+              The <dfn id="dfn-SubtleSubtleCrypto-method-encrypt"><code>encrypt</code></dfn>
               method returns a new <a href="#dfn-CryptoOperation"><code>CryptoOperation</code></a>
               object that will encrypt data using the specified
               <a href="#dfn-AlgorithmIdentifier"><code>AlgorithmIdentifier</code></a> with
@@ -1499,10 +1550,10 @@
             </ol>
           </div>
 
-          <div id="Crypto-method-decrypt" class="section">
-            <h4>14.1.2. The decrypt method</h4>
+          <div id="SubtleCrypto-method-decrypt" class="section">
+            <h4>15.2.2. The decrypt method</h4>
             <p>
-              The <dfn id="dfn-Crypto-method-decrypt"><code>decrypt</code></dfn>
+              The <dfn id="dfn-SubtleSubtleCrypto-method-decrypt"><code>decrypt</code></dfn>
               method returns a new <a href="#dfn-CryptoOperation"><code>CryptoOperation</code></a>
               object that will decrypt data using the specified
               <a href="#dfn-AlgorithmIdentifier"><code>AlgorithmIdentifier</code></a> with
@@ -1601,10 +1652,10 @@
             </ol>
           </div>
 
-          <div id="Crypto-method-sign" class="section">
-            <h4>14.1.3. The sign method</h4>
+          <div id="SubtleCrypto-method-sign" class="section">
+            <h4>15.2.3. The sign method</h4>
             <p>
-              The <dfn id="dfn-Crypto-method-sign"><code>sign</code></dfn> method
+              The <dfn id="dfn-SubtleSubtleCrypto-method-sign"><code>sign</code></dfn> method
               returns a new <a href="#dfn-CryptoOperation"><code>CryptoOperation</code></a>
               object that will sign data using the specified
               <a href="#dfn-AlgorithmIdentifier"><code>AlgorithmIdentifier</code></a> with
@@ -1702,10 +1753,10 @@
             </ol>
           </div>
 
-          <div id="Crypto-method-verify" class="section">
-            <h4>14.1.4. The verify method</h4>
+          <div id="SubtleCrypto-method-verify" class="section">
+            <h4>15.2.4. The verify method</h4>
             <p>
-              The <dfn id="dfn-Crypto-method-verify"><code>verify</code></dfn> method
+              The <dfn id="dfn-SubtleSubtleCrypto-method-verify"><code>verify</code></dfn> method
               returns a new <a href="#dfn-CryptoOperation"><code>CryptoOperation</code></a>
               object that will verify data using the specified
               <a href="#dfn-AlgorithmIdentifier"><code>AlgorithmIdentifier</code></a> with
@@ -1803,10 +1854,10 @@
             </ol>
           </div>
 
-          <div id="Crypto-method-digest" class="section">
-            <h4>14.1.5. The digest method</h4>
+          <div id="SubtleCrypto-method-digest" class="section">
+            <h4>15.2.5. The digest method</h4>
             <p>
-              The <dfn id="dfn-Crypto-method-digest"><code>digest</code></dfn> method returns
+              The <dfn id="dfn-SubtleSubtleCrypto-method-digest"><code>digest</code></dfn> method returns
               a new <a href="#dfn-CryptoOperation"><code>CryptoOperation</code></a>
               object that will digest data using the specified
               <a href="#dfn-AlgorithmIdentifier"><code>AlgorithmIdentifier</code></a>.
@@ -1904,10 +1955,10 @@
             </ol>
           </div>
 
-          <div id="Crypto-method-generateKey" class="section">
-            <h4>14.1.6. The generateKey method</h4>
+          <div id="SubtleCrypto-method-generateKey" class="section">
+            <h4>15.2.6. The generateKey method</h4>
             <p>
-              When invoked, <dfn id="dfn-Crypto-method-generateKey"><code>generateKey</code></dfn> <span class="RFC2119">MUST</span> perform the following steps:
+              When invoked, <dfn id="dfn-SubtleSubtleCrypto-method-generateKey"><code>generateKey</code></dfn> <span class="RFC2119">MUST</span> perform the following steps:
             </p>
             <ol>
               <li>
@@ -2004,10 +2055,10 @@
             </div>
           </div>
           
-          <div id="Crypto-method-deriveKey" class="section">
-            <h4>14.1.7. The deriveKey method</h4>
+          <div id="SubtleCrypto-method-deriveKey" class="section">
+            <h4>15.2.7. The deriveKey method</h4>
             <p>
-              When invoked, <dfn id="dfn-Crypto-method-deriveKey"><code>deriveKey</code></dfn> <span class="RFC2119">MUST</span> perform the following steps:
+              When invoked, <dfn id="dfn-SubtleSubtleCrypto-method-deriveKey"><code>deriveKey</code></dfn> <span class="RFC2119">MUST</span> perform the following steps:
             </p>
             <ol>
               <li>
@@ -2113,12 +2164,12 @@
             </div>
           </div>
 
-          <div id="Crypto-method-importKey" class="section">
-            <h4>14.1.8. The <dfn id="dfn-Crypto-method-importKey">importKey</dfn> method</h4>
+          <div id="SubtleCrypto-method-importKey" class="section">
+            <h4>15.2.8. The <dfn id="dfn-SubtleSubtleCrypto-method-importKey">importKey</dfn> method</h4>
             <p></p>
           </div>
-          <div id="Crypto-method-exportKey" class="section">
-            <h4>14.1.9. The <dfn id="dfn-Crypto-method-exportKey">exportKey</dfn> method</h4>
+          <div id="SubtleCrypto-method-exportKey" class="section">
+            <h4>15.2.9. The <dfn id="dfn-SubtleSubtleCrypto-method-exportKey">exportKey</dfn> method</h4>
             <p></p>
           </div>
           
@@ -2126,7 +2177,7 @@
       </div>
 
       <div id="WorkerCrypto-interface" class="section">
-        <h2>15. WorkerCrypto interface</h2>
+        <h2>16. WorkerCrypto interface</h2>
         <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 interface <dfn id="dfn-WorkerCrypto">WorkerCrypto</dfn> {
 };
@@ -2138,7 +2189,7 @@
 };
         </code></pre></div></div>
         <div id="WorkerCrypto-description" class="section">
-          <h3>15.1. Description</h3>
+          <h3>16.1. Description</h3>
           <p>
             The <a href="#dfn-WorkerCrypto">WorkerCrypto</a> interface provides cryptographic
             functionality for background scripts, as specified by Web Workers [
@@ -2156,7 +2207,7 @@
       </div>
 
       <div id="big-integer" class="section">
-        <h2>16. BigInteger</h2>
+        <h2>17. BigInteger</h2>
         <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 typedef Uint8Array <dfn id="dfn-BigInteger">BigInteger</dfn>;
         </code></pre></div></div>
@@ -2171,7 +2222,7 @@
       </div>
       
       <div id="keypair" class="section">
-        <h2>17. KeyPair</h2>
+        <h2>18. KeyPair</h2>
         <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 interface <dfn id="dfn-KeyPair">KeyPair</dfn> {
   <a href="#dfn-Key">Key</a> publicKey;
@@ -2185,13 +2236,13 @@
       </div>
 
       <div id="key-discovery" class="section">
-        <h2>18. Key Discovery</h2>
+        <h2>19. Key Discovery</h2>
         <p class="norm">This section is non-normative.</p>
         <div class="ednote"><div class="ednoteHeader">Editorial note</div>
           <p>
             The Working Group is actively discussing means of discovering <code><a href="#dfn-Key">Key</a></code>
             objects that are not not directly created by the application via
-            <code><a href="#Crypto-method-generateKey">generateKey</a></code>, or allowing
+            <code><a href="#SubtleCrypto-method-generateKey">generateKey</a></code>, or allowing
             web applications to indicate how and where the cryptographic keying material associated with
             <code>Key</code> objects is stored. Examples of such <code>Key</code> objects or interfaces that
             may be exposed include:
@@ -2228,9 +2279,9 @@
       </div>
 
       <div id="algorithms" class="section">
-        <h2>19. Algorithms</h2>
+        <h2>20. Algorithms</h2>
         <div id="recommended-algorithms" class="section">
-          <h3>19.1. Recommended algorithms</h3>
+          <h3>20.1. Recommended algorithms</h3>
           <p class="norm">This section is non-normative</p>
           <p>
             As the API is meant to be extensible in order to keep up with future developments within
@@ -2269,7 +2320,7 @@
           </p>
         </div>
         <div id="defining-an-algorithm" class="section">
-          <h3>19.2. Defining an algorithm</h3>
+          <h3>20.2. Defining an algorithm</h3>
           <p>
             Each algorithm that is to be exposed via the Web Cryptography API
             <span class="RFC2119">SHOULD</span> be registered via the Web Cryptography working group,
@@ -2278,7 +2329,7 @@
             <span class="RFC2119">MUST</span> be processed as if the sections had been defined.
           </p>
           <div id="recognized-algorithm-name" class="section">
-            <h4>19.2.1. Recognized algorithm name</h4>
+            <h4>20.2.1. Recognized algorithm name</h4>
             <p>
               Each registered algorithm <span class="RFC2119">MUST</span> have a canonical name
               for which applications can refer to the algorithm. The canonical name
@@ -2289,14 +2340,14 @@
             </p>
           </div>
           <div id="supported-operations" class="section">
-            <h4>19.2.2. Supported operations</h4>
+            <h4>20.2.2. Supported operations</h4>
             <p>
               Each registered algorithm <span class="RFC2119">MUST</span> define the operations
               that it supports.
             </p>
           </div>
           <div id="algorithm-specific-params" class="section">
-            <h4>19.2.3. Algorithm-specific parameters</h4>
+            <h4>20.2.3. Algorithm-specific parameters</h4>
             <p>
               Each registered algorithm <span class="RFC2119">MUST</span> define the expected
               contents of the <a href="#dfn-Algorithm-params"><code>params</code></a> member of
@@ -2311,7 +2362,7 @@
             </p>
           </div>
           <div id="algorithm-result" class="section">
-            <h4>19.2.4. Algorithm results</h4>
+            <h4>20.2.4. Algorithm results</h4>
             <p>
               Each registered algorithm <span class="RFC2119">MUST</span> define the contents
               of the <a href="#dfn-CryptoOperation-result"><code>result</code></a> attribute of the
@@ -2320,7 +2371,7 @@
             </p>
           </div>
           <div id="algorithm-alias" class="section">
-            <h4>19.2.5. <dfn id="dfn-algorithm-alias">Algorithm aliases</dfn></h4>
+            <h4>20.2.5. <dfn id="dfn-algorithm-alias">Algorithm aliases</dfn></h4>
             <p>
               Each registered algorithm <span class="RFC2119">MAY</span> define one or more aliases
               that may define a fully normalized <a href="#dfn-Algorithm">Algorithm</a> object.
@@ -2343,9 +2394,9 @@
         </div>
 
         <div id="rsaes-pkcs1" class="section">
-          <h3>19.3. RSAES-PKCS1-v1_5</h3>
+          <h3>20.3. RSAES-PKCS1-v1_5</h3>
           <div id="rsaes-pkcs1-description" class="section">
-            <h4>19.3.1. Description</h4>
+            <h4>20.3.1. Description</h4>
             <p>
               The <code>"RSAES-PKCS1-v1_5"</code> algorithm identifier is used to perform encryption
               and decryption ordering to the RSAES-PKCS1-v1_5 algorithm specified in
@@ -2353,7 +2404,7 @@
             </p>
           </div>
           <div id="rsaes-pkcs1-registration" class="section">
-            <h4>19.3.2. Registration</h4>
+            <h4>20.3.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"RSAES-PKCS1-v1_5"</code>.
@@ -2386,7 +2437,7 @@
             </table>
           </div>
           <div id="RsaKeyGenParams-dictionary" class="section">
-            <h4>19.3.3. RsaKeyGenParams dictionary</h4>
+            <h4>20.3.3. RsaKeyGenParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-RsaKeyGenParams">RsaKeyGenParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The length, in bits, of the RSA modulus</span>
@@ -2397,7 +2448,7 @@
             </code></pre></div></div>
           </div>
           <div id="rsaes-pkcs1-operations" class="section">
-            <h4>19.3.4. Operations</h4>
+            <h4>20.3.4. Operations</h4>
             <div class="ednote"><div class="ednoteHeader">Editorial note</div>
               <p>
                 Note: The following processing algorithms have not been updated to match the processing algorithm
@@ -2531,9 +2582,9 @@
         </div>
 
         <div id="rsassa-pkcs1" class="section">
-          <h3>19.4. RSASSA-PKCS1-v1_5</h3>
+          <h3>20.4. RSASSA-PKCS1-v1_5</h3>
           <div id="rsassa-pkcs1-description" class="section">
-            <h4>19.4.1. Description</h4>
+            <h4>20.4.1. Description</h4>
             <p>
               The <code>"RSASSA-PKCS1-v1_5"</code> algorithm identifier is used to perform
               signing and verification using the RSASSA-PKCS1-v1_5 algorithm specified in
@@ -2541,7 +2592,7 @@
             </p>
           </div>
           <div id="rsassa-pkcs1-registration" class="section">
-            <h4>19.4.2. Registration</h4>
+            <h4>20.4.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"RSASSA-PKCS1-v1_5"</code>.
@@ -2574,7 +2625,7 @@
             </table>
           </div>
           <div id="RsaSsaParams-dictionary" class="section">
-            <h4>19.4.3. RsaSsaParams dictionary</h4>
+            <h4>20.4.3. RsaSsaParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-RsaSsaParams">RsaSsaParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The hash algorithm to use</span> 
@@ -2583,7 +2634,7 @@
             </code></pre></div></div>
           </div>
           <div id="rsassa-pkcs1-operations" class="section">
-            <h4>19.4.4. Operations</h4>
+            <h4>20.4.4. Operations</h4>
             <ul>
               <li>Sign</li>
               <li>Verify</li>
@@ -2593,9 +2644,9 @@
         </div>
 
         <div id="rsa-pss" class="section">
-          <h3>19.5. RSA-PSS</h3>
+          <h3>20.5. RSA-PSS</h3>
           <div id="rsa-pss-description" class="section">
-            <h4>19.5.1. Description</h4>
+            <h4>20.5.1. Description</h4>
             <p>
               The <code>"RSA-PSS"</code> algorithm identifier is used to perform signing
               and verification using the RSASSA-PSS algorithm specified in
@@ -2604,7 +2655,7 @@
             </p>
           </div>
           <div id="rsa-pss-registration" class="section">
-            <h4>19.5.2. Registration</h4>
+            <h4>20.5.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"RSA-PSS"</code>.
@@ -2637,7 +2688,7 @@
             </table>
           </div>
           <div id="rsa-pss-params" class="section">
-            <h4>19.5.3. RsaPssParams dictionary</h4>
+            <h4>20.5.3. RsaPssParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-RsaPssParams">RsaPssParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The hash function to apply to the message</span>
@@ -2648,7 +2699,7 @@
             </code></pre></div></div>
           </div>
           <div id="rsa-pss-operations" class="section">
-            <h4>19.5.4. Operations</h4>
+            <h4>20.5.4. Operations</h4>
             <ul>
               <li>Sign</li>
               <li>Verify</li>
@@ -2658,9 +2709,9 @@
         </div>
 
         <div id="rsa-oaep" class="section">
-          <h3>19.6. RSA-OAEP</h3>
+          <h3>20.6. RSA-OAEP</h3>
           <div id="rsa-oaep-description" class="section">
-            <h4>19.6.1. Description</h4>
+            <h4>20.6.1. Description</h4>
             <p>
               The <code>"RSA-OAEP"</code> algorithm identifier is used to perform encryption
               and decryption ordering to the RSAES-OAEP algorithm specified in
@@ -2669,7 +2720,7 @@
             </p>
           </div>
           <div id="rsa-oaep-registration" class="section">
-            <h4>19.6.2. Registration</h4>
+            <h4>20.6.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"RSA-OAEP"</code>.
@@ -2703,7 +2754,7 @@
           </div>
 
           <div id="rsa-oaep-params" class="section">
-            <h4>19.6.3. RsaOaepParams dictionary</h4>
+            <h4>20.6.3. RsaOaepParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-RsaOaepParams">RsaOaepParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The hash function to apply to the message</span>
@@ -2714,7 +2765,7 @@
             </code></pre></div></div>
           </div>
           <div id="rsa-oaep-operations" class="section">
-            <h4>19.6.4. Operations</h4>
+            <h4>20.6.4. Operations</h4>
             <ul>
               <li>Encrypt</li>
               <li>Decrypt</li>
@@ -2724,9 +2775,9 @@
         </div>
 
         <div id="ecdsa" class="section">
-          <h3>19.7. ECDSA</h3>
+          <h3>20.7. ECDSA</h3>
           <div id="ecdsa-description" class="section">
-            <h4>19.7.1. Description</h4>
+            <h4>20.7.1. Description</h4>
             <p>
               The <code>"ECDSA"</code> algorithm identifier is used to perform signing
               and verification using the ECDSA algorithm specified in
@@ -2734,7 +2785,7 @@
             </p>
           </div>
           <div id="ecdsa-registration" class="section">
-            <h4>19.7.2. Registration</h4>
+            <h4>20.7.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"ECDSA"</code>.
@@ -2768,7 +2819,7 @@
             </table>
           </div>
           <div id="EcdsaParams-dictionary" class="section">
-            <h4>19.7.3. EcdsaParams dictionary</h4>
+            <h4>20.7.3. EcdsaParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-EcdsaParams">EcdsaParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The hash algorithm to use</span>
@@ -2777,7 +2828,7 @@
             </code></pre></div></div>
           </div>
           <div id="EcKeyGenParams-dictionary" class="section">
-            <h4>19.7.4. EcKeyGenParams dictionary</h4>
+            <h4>20.7.4. EcKeyGenParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 enum <dfn id="dfn-NamedCurve">NamedCurve</dfn> {
   <span class="comment">// NIST recommended curve P-256, also known as secp256r1.</span>
@@ -2800,7 +2851,7 @@
           </div>
 
           <div id="ecdsa-operations" class="section">
-            <h4>19.7.5. Operations</h4>
+            <h4>20.7.5. Operations</h4>
             <div class="ednote"><div class="ednoteHeader">Editorial note</div>
               <p>
                 Note: The following processing algorithms have not been updated to match the processing algorithm
@@ -2930,16 +2981,16 @@
         </div>
 
         <div id="ecdh" class="section">
-          <h3>19.8. ECDH</h3>
+          <h3>20.8. ECDH</h3>
           <div id="ecdh-description" class="section">
-            <h4>19.8.1. Description</h4>
+            <h4>20.8.1. Description</h4>
             <p>
               This describes using Elliptic Curve Diffie-Hellman (ECDH) for key generation and key agreement, as
               specified by <a href="#X9.63">X9.63</a>.
             </p>
           </div>
           <div id="ecdh-registration" class="section">
-            <h4>19.8.2. Registration</h4>
+            <h4>20.8.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"ECDH"</code>.
@@ -2967,7 +3018,7 @@
             </table>
           </div>
           <div id="dh-EcdhKeyDeriveParams" class="section">
-            <h4>19.8.3. EcdhKeyDeriveParams dictionary</h4>
+            <h4>20.8.3. EcdhKeyDeriveParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 typedef Uint8Array <dfn id="dfn-ECPoint">ECPoint</dfn>;
 
@@ -2983,7 +3034,7 @@
             </p>
           </div>
           <div id="ecdh-operations" class="section">
-            <h4>19.8.4. Operations</h4>
+            <h4>20.8.4. Operations</h4>
             <ul>
               <li>Generate Key</li>
               <li>Derive Key
@@ -3003,14 +3054,14 @@
         </div>
 
         <div id="aes-ctr" class="section">
-          <h3>19.9. AES-CTR</h3>
+          <h3>20.9. AES-CTR</h3>
           <div id="aes-ctr-description" class="section">
-            <h4>19.9.1. Description</h4>
+            <h4>20.9.1. Description</h4>
             <p>
             </p>
           </div>
           <div id="aes-ctr-registration" class="section">
-            <h4>19.9.2. Registration</h4>
+            <h4>20.9.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"AES-CTR"</code>.
@@ -3044,7 +3095,7 @@
           </div>
 
           <div id="aes-ctr-params" class="section">
-            <h4>19.9.3. AesCtrParams dictionary</h4>
+            <h4>20.9.3. AesCtrParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-AesCtrParams">AesCtrParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The initial value of the counter block. counter <span class="RFC2119">MUST</span> be 16 bytes
@@ -3062,7 +3113,7 @@
             </code></pre></div></div>
           </div>
           <div id="aes-keygen-params" class="section">
-            <h4>19.9.4. AesKeyGenParams dictionary</h4>
+            <h4>20.9.4. AesKeyGenParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-AesKeyGenParams">AesKeyGenParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The length, in bits, of the key.</span>
@@ -3071,7 +3122,7 @@
             </code></pre></div></div>
           </div>
           <div id="aes-ctr-operations" class="section">
-            <h4>19.9.5. Operations</h4>
+            <h4>20.9.5. Operations</h4>
             <ul>
               <li>Encrypt</li>
               <li>Decrypt</li>
@@ -3081,12 +3132,12 @@
         </div>
 
         <div id="aes-cbc" class="section">
-          <h3>19.10. AES-CBC</h3>
+          <h3>20.10. AES-CBC</h3>
           <div id="aes-cbc-description" class="section">
-            <h4>19.10.1. Description</h4>
+            <h4>20.10.1. Description</h4>
           </div>
           <div id="aes-cbc-registration" class="section">
-            <h4>19.10.2. Registration</h4>
+            <h4>20.10.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"AES-CBC"</code>.
@@ -3119,7 +3170,7 @@
             </table>
           </div>
           <div id="aes-cbc-params" class="section">
-            <h4>19.10.3. AesCbcParams dictionary</h4>
+            <h4>20.10.3. AesCbcParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-AesCbcParams">AesCbcParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The initialization vector. <span class="RFC2119">MUST</span> be 16 bytes.</span>
@@ -3128,7 +3179,7 @@
             </code></pre></div></div>
           </div>
           <div id="aes-cbc-operations" class="section">
-            <h4>19.10.4. Operations</h4>
+            <h4>20.10.4. Operations</h4>
             <ul>
               <li>Encrypt</li>
               <li>Decrypt</li>
@@ -3138,12 +3189,12 @@
         </div>
 
         <div id="aes-gcm" class="section">
-          <h3>19.11. AES-GCM</h3>
+          <h3>20.11. AES-GCM</h3>
           <div id="aes-gcm-description" class="section">
-            <h4>19.11.1. Description</h4>
+            <h4>20.11.1. Description</h4>
           </div>
           <div id="aes-gcm-registration" class="section">
-             <h4>19.11.2. Registration</h4>
+             <h4>20.11.2. Registration</h4>
              <p>
                The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
                this algorithm is <code>"AES-GCM"</code>.
@@ -3176,7 +3227,7 @@
              </table>
            </div>
           <div id="aes-gcm-params" class="section">
-            <h4>19.11.3. AesGcmParams dictionary</h4>
+            <h4>20.11.3. AesGcmParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-AesGcmParams">AesGcmParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The initialization vector to use. May be up to 2^56 bytes long.</span>
@@ -3189,7 +3240,7 @@
             </code></pre></div></div>
           </div>
           <div id="aes-gcm-operations" class="section">
-            <h4>19.11.4. Operations</h4>
+            <h4>20.11.4. Operations</h4>
             <ul>
               <li>Encrypt</li>
               <li>Decrypt</li>
@@ -3199,12 +3250,12 @@
         </div>
 
         <div id="hmac" class="section">
-          <h3>19.12. HMAC</h3>
+          <h3>20.12. HMAC</h3>
           <div id="hmac-description" class="section">
-            <h4>19.12.1. Description</h4>
+            <h4>20.12.1. Description</h4>
           </div>
           <div id="hmac-registration" class="section">
-            <h4>19.12.2. Registration</h4>
+            <h4>20.12.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"HMAC"</code>.
@@ -3237,7 +3288,7 @@
             </table>
           </div>
           <div id="hmac-params" class="section">
-            <h4>19.12.3. HmacParams dictionary</h4>
+            <h4>20.12.3. HmacParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-HmacParams">HmacParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The inner hash function to use.</span>
@@ -3246,7 +3297,7 @@
             </code></pre></div></div>
           </div>
           <div id="hmac-operations" class="section">
-            <h4>19.12.4. Operations</h4>
+            <h4>20.12.4. Operations</h4>
             <ul>
               <li>Sign</li>
               <li>Verify</li>
@@ -3255,16 +3306,16 @@
           </div>
         </div>
         <div id="dh" class="section">
-          <h3>19.13. Diffie-Hellman</h3>
+          <h3>20.13. Diffie-Hellman</h3>
           <div id="dh-description" class="section">
-            <h4>19.13.1. Description</h4>
+            <h4>20.13.1. Description</h4>
             <p>
               This describes using Diffie-Hellman for key generation and key agreement, as specified
               by <a href="#PKCS3">PKCS #3</a>.
             </p>
           </div>
           <div id="dh-registration" class="section">
-            <h4>19.13.2. Registration</h4>
+            <h4>20.13.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"DH"</code>.
@@ -3292,7 +3343,7 @@
             </table>
           </div>
           <div id="dh-DhKeyGenParams" class="section">
-            <h4>19.13.3. DhKeyGenParams dictionary</h4>
+            <h4>20.13.3. DhKeyGenParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-DhKeyGenParams">DhKeyGenParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The prime p.</span>
@@ -3303,7 +3354,7 @@
             </code></pre></div></div>
           </div>
           <div id="dh-DhKeyDeriveParams" class="section">
-            <h4>19.13.4. DhKeyDeriveParams dictionary</h4>
+            <h4>20.13.4. DhKeyDeriveParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-DhKeyDeriveParams">DhKeyDeriveParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The peer's public value.</span>
@@ -3312,7 +3363,7 @@
             </code></pre></div></div>
           </div>
           <div id="dh-operations" class="section">
-            <h4>19.13.5. Operations</h4>
+            <h4>20.13.5. Operations</h4>
             <ul>
               <li>Generate Key</li>
               <li>Derive Key</li>
@@ -3320,16 +3371,16 @@
           </div>
         </div>
         <div id="sha" class="section">
-          <h3>19.14. SHA</h3>
+          <h3>20.14. SHA</h3>
           <div id="sha-description" class="section">
-            <h4>19.14.1. Description</h4>
+            <h4>20.14.1. Description</h4>
             <p>
               This describes the SHA-1 and SHA-2 families, as specified by
               [<a href="#FIPS180-4">FIPS 180-4</a>].
             </p>
           </div>
           <div id="sha-registration" class="section">
-            <h4>19.14.2. Registration</h4>
+            <h4>20.14.2. Registration</h4>
             <p>
               The following algorithms are added as <a href="#recognized-algorithm-name">
               recognized algorithm names</a>:
@@ -3364,16 +3415,16 @@
             </table>
           </div>
           <div id="sha-operations" class="section">
-            <h4>19.14.3. Operations</h4>
+            <h4>20.14.3. Operations</h4>
             <ul>
               <li>Digest</li>
             </ul>
           </div>
         </div>
         <div id="concatkdf" class="section">
-          <h3>19.15. Concat KDF</h3>
+          <h3>20.15. Concat KDF</h3>
           <div id="concatkdf-description" class="section">
-            <h4>19.15.1. Description</h4>
+            <h4>20.15.1. Description</h4>
             <p>
               The <code>"CONCAT"</code> algorithm identifier is used to perform key derivation
               using the key derivation algorithm defined in Section 5.8.1 of NIST SP 800-56A
@@ -3381,7 +3432,7 @@
             </p>
           </div>
           <div id="concatkdf-registration" class="section">
-            <h4>19.15.2. Registration</h4>
+            <h4>20.15.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"CONCAT"</code>.
@@ -3404,7 +3455,7 @@
             </table>
           </div>
           <div id="concat-params" class="section">
-            <h4>19.15.3. ConcatParams dictionary</h4>
+            <h4>20.15.3. ConcatParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-ConcatParams">ConcatParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The digest method to use to derive the keying material.</span>
@@ -3427,19 +3478,19 @@
             </code></pre></div></div>
           </div>
           <div id="concat-operations" class="section">
-            <h4>19.15.4. Operations</h4>
+            <h4>20.15.4. Operations</h4>
             <ul>
               <li>Derive Key</li>
             </ul>
           </div>
         </div>
         <div id="pbkdf2" class="section">
-          <h3>19.16. PBKDF2</h3>
+          <h3>20.16. PBKDF2</h3>
           <div id="pbkdf2-description" class="section">
-            <h4>19.16.1. Description</h4>
+            <h4>20.16.1. Description</h4>
           </div>
           <div id="pbkdf2-registration" class="section">
-            <h4>19.16.2. Registration</h4>
+            <h4>20.16.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"PBKDF2"</code>.
@@ -3462,7 +3513,7 @@
             </table>
           </div>
           <div id="pbkdf2-params" class="section">
-            <h4>19.16.3. Pbkdf2Params dictionary</h4>
+            <h4>20.16.3. Pbkdf2Params dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-Pbkdf2Params">Pbkdf2Params</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   ArrayBufferView salt;
@@ -3481,7 +3532,7 @@
             </div>
           </div>
           <div id="pbkdf2-operations" class="section">
-            <h4>19.16.4. Operations</h4>
+            <h4>20.16.4. Operations</h4>
             <ul>
               <li>Derive Key</li>
             </ul>
@@ -3490,7 +3541,7 @@
       </div>
  
       <div id="algorithm-normalizing-rules" class="section">
-        <h2>20. Algorithm normalizing rules</h2>
+        <h2>21. Algorithm normalizing rules</h2>
         <p>
           The <a href="#dfn-AlgorithmIdentifier"><code>AlgorithmIdentifier</code></a> typedef
           permits algorithms to be specified as either a <code>dictionary</code> or a DOMString.
@@ -3559,9 +3610,9 @@
         </ol>
       </div>
       <div id="examples-section" class="section">
-        <h2>21. JavaScript Example Code</h2>
+        <h2>22. JavaScript Example Code</h2>
         <div id="examples-signing" class="section">
-          <h3>21.1. Generate a signing key pair, sign some data</h3>
+          <h3>22.1. Generate a signing key pair, sign some data</h3>
         
         <div class="block"><div class="blockTitleDiv"><span class="blockTitle">ECMAScript</span></div><div class="blockContent"><pre class="code"><code class="es-code">
 <span class="comment">// Algorithm Object</span>
@@ -3584,7 +3635,7 @@
   }
 };
 
-var keyGen = window.crypto.generateKey(algorithmKeyGen,
+var keyGen = window.crypto.subtle.generateKey(algorithmKeyGen,
                                        false, <span class="comment">// extractable</span>
                                        ["sign"]);
 
@@ -3615,7 +3666,7 @@
         </code></pre></div></div>
         </div>
         <div id="examples-symmetric-encryption" class="section">
-          <h3>21.2. Symmetric Encryption</h3>
+          <h3>22.2. Symmetric Encryption</h3>
         <div class="block"><div class="blockTitleDiv"><span class="blockTitle">ECMAScript</span></div><div class="blockContent"><pre class="code"><code class="es-code">
 var clearDataArrayBufferView = convertPlainTextToArrayBufferView("Plain Text Data");
 <span class="comment">// TODO: create example utility function that converts text -&gt; ArrayBufferView</span>
@@ -3637,7 +3688,7 @@
 };
 
 <span class="comment">// Create a keygenerator to produce a one-time-use AES key to encrypt some data</span>
-var cryptoKeyGen = window.crypto.generateKey(aesAlgorithmKeyGen,
+var cryptoKeyGen = window.crypto.subtle.generateKey(aesAlgorithmKeyGen,
                                              false, <span class="comment">// extractable</span>
                                              ["encrypt"]);
 
@@ -3647,7 +3698,7 @@
 
   <span class="comment">// Unlike the signing example, which showed multi-part encryption, here we
   // will perform the entire AES operation in a single call.</span>
-  var aesOp = window.crypto.encrypt(aesAlgorithmEncrypt, aesKey, clearDataArrayBufferView);
+  var aesOp = window.crypto.subtle.encrypt(aesAlgorithmEncrypt, aesKey, clearDataArrayBufferView);
   aesOp.oncomplete = function(event) {
     <span class="comment">// The clearData has been encrypted.</span>
     var ciphertext = event.target.result; <span class="comment">// ArrayBufferView</span>
@@ -3660,7 +3711,7 @@
       </div>
     </div>
       <div id="acknowledgements-section" class="section">
-        <h2>22. Acknowledgements</h2>
+        <h2>23. Acknowledgements</h2>
         <p>
           The editors would like to thank Adam Barth, Alex Russell, Ali Asad, Arun Ranganathan,
           Brian Smith, Brian Warner, Channy Yun, Kai Engert, Mark Watson, Vijay Bharadwaj,
@@ -3681,9 +3732,9 @@
         </p>
       </div>
       <div id="references" class="section">
-         <h2>23. References</h2>
+         <h2>24. References</h2>
          <div id="normative-references" class="section">
-           <h3>23.1. Normative References</h3>
+           <h3>24.1. Normative References</h3>
            <dl>
              <dt id="DOM4">DOM4</dt>
              <dd>
@@ -3756,7 +3807,7 @@
            </dl>
         </div>
         <div id="informative-references" class="section">
-          <h3>23.2. Informative References</h3>
+          <h3>24.2. Informative References</h3>
           <dl>
             <dt id="CDSA">CDSA</dt>
             <dd>